192 lines
4.9 KiB
Bash
Executable File
192 lines
4.9 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# dejavuln-autoroot
|
|
# by throwaway96
|
|
# https://github.com/throwaway96/dejavuln-autoroot
|
|
# Copyright 2024. Licensed under AGPL v3 or later. No warranties.
|
|
|
|
# Thanks to:
|
|
# - Jacob Clayden (https://jacobcx.dev/) for discovering DejaVuln
|
|
# - Bitdefender for their writeup of CVE-2023-6319
|
|
# (https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/)
|
|
# - LG for being incompetent
|
|
|
|
set -e
|
|
|
|
USB_PATH="${USB_PATH:-$(dirname -- "${0}")}"
|
|
DEBUG="${DEBUG:-}"
|
|
IPK_SRC="${IPK_SRC:-"${USB_PATH}/hbchannel-0.6.3.ipk"}"
|
|
|
|
toast() {
|
|
[ -n "${logfile}" ] && debug "toasting: '${1}'"
|
|
|
|
title='dejavuln-autoroot'
|
|
srcapp='com.palm.app.settings'
|
|
escape1="${1//\\/\\\\}"
|
|
escape="${escape1//\"/\\\"}"
|
|
payload="$(printf '{"sourceId":"%s","message":"<h3>%s</h3>%s"}' "${srcapp}" "${title}" "${escape}")"
|
|
luna-send -w 1000 -n 1 -a "${srcapp}" 'luna://com.webos.notification/createToast' "${payload}" >/dev/null
|
|
}
|
|
|
|
debug() {
|
|
[ -z "${DEBUG}" ] && return
|
|
|
|
msg="[d] ${1}"
|
|
echo "${msg}"
|
|
echo "${msg}" >>"${logfile}"
|
|
fsync -- "${logfile}"
|
|
}
|
|
|
|
log() {
|
|
msg="[ ] ${1}"
|
|
echo "${msg}"
|
|
echo "${msg}" >>"${logfile}"
|
|
fsync -- "${logfile}"
|
|
}
|
|
|
|
error() {
|
|
msg="[!] ${1}"
|
|
echo "${msg}"
|
|
echo "${msg}" >>"${logfile}"
|
|
fsync -- "${logfile}"
|
|
toast "<b>Error:</b> ${1}"
|
|
}
|
|
|
|
get_sdkversion() {
|
|
luna-send -w 1000 -n 1 -q 'sdkVersion' -f 'luna://com.webos.service.tv.systemproperty/getSystemInfo' '{"keys":["sdkVersion"]}' | sed -n -e 's/^\s*"sdkVersion":\s*"\([0-9.]\+\)"\s*$/\1/p'
|
|
}
|
|
|
|
lockfile='/tmp/autoroot.lock'
|
|
exec 200>"${lockfile}"
|
|
|
|
flock -x -n -- 200 || { echo '[!] Another instance of this script is currently running'; exit 2; }
|
|
|
|
trap -- "rm -f -- '${lockfile}'" EXIT
|
|
|
|
[ -e "${USB_PATH}/autoroot.debug" ] && DEBUG='file'
|
|
|
|
[ -n "${DEBUG}" ] && toast 'Script is running!'
|
|
|
|
umask 022
|
|
|
|
if ! tempdir="$(mktemp -d -- '/tmp/autoroot.XXXXXX')"; then
|
|
echo '[x] Failed to create random temporary directory; using PID-based fallback'
|
|
tempdir="/tmp/autoroot.${$}"
|
|
if ! mkdir -- "${tempdir}"; then
|
|
echo "[x] PID-based fallback temporary directory ${tempdir} already exists"
|
|
tempdir='/tmp/autoroot.temp'
|
|
rm -rf -- "${tempdir}"
|
|
mkdir -- "${tempdir}"
|
|
fi
|
|
fi
|
|
|
|
logfile="${tempdir}/log"
|
|
touch -- "${logfile}"
|
|
|
|
if [ -n "${DEBUG}" ]; then
|
|
loglink='/tmp/autoroot.log'
|
|
rm -rf -- "${loglink}"
|
|
ln -s -- "${logfile}" "${loglink}"
|
|
fi
|
|
|
|
log 'hi'
|
|
|
|
log "script path: ${0}"
|
|
|
|
debug "temp dir: ${tempdir}"
|
|
|
|
log "date: $(date -u -- '+%Y-%m-%d %H:%M:%S UTC')"
|
|
log "id: $(id)"
|
|
|
|
usb_oncefile="${USB_PATH}/autoroot.once"
|
|
tmp_oncefile='/tmp/autoroot.once'
|
|
|
|
[ -e "${usb_oncefile}" -a -e "${tmp_oncefile}" ] && { log 'Script already executed'; exit 3; }
|
|
|
|
touch -- "${usb_oncefile}" "${tmp_oncefile}"
|
|
fsync -- "${usb_oncefile}"
|
|
|
|
trap -- "cp -f -- '${logfile}' '${USB_PATH}/autoroot.log'" EXIT
|
|
|
|
webos_ver="$(get_sdkversion)"
|
|
|
|
log "webOS version: ${webos_ver}"
|
|
|
|
if [ ! -f "${IPK_SRC}" ]; then
|
|
error "IPK not found at '${IPK_SRC}'."
|
|
exit 1
|
|
fi
|
|
|
|
if [ -d '/var/luna/preferences/devmode_enabled' ]; then
|
|
log 'devmode_enabled is already a directory; is your TV already rooted?'
|
|
else
|
|
if [ -e '/var/luna/preferences/devmode_enabled' ]; then
|
|
log 'devmode_enabled exists; make sure the LG Dev Mode app is not installed!'
|
|
toast "Make sure the LG Dev Mode app isn't installed!"
|
|
|
|
rm -f -- '/var/luna/preferences/devmode_enabled'
|
|
else
|
|
debug 'devmode_enabled does not exist'
|
|
fi
|
|
|
|
if ! mkdir -- '/var/luna/preferences/devmode_enabled'; then
|
|
error 'Failed to create devmode_enabled directory'
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if restart appinstalld >/dev/null; then
|
|
debug 'appinstalld restarted'
|
|
else
|
|
log 'Failed to restart appinstalld'
|
|
fi
|
|
|
|
ipkpath="${tempdir}/hbchannel.ipk"
|
|
|
|
cp -- "${IPK_SRC}" "${ipkpath}"
|
|
|
|
instpayload="$(printf '{"id":"com.ares.defaultName","ipkUrl":"%s","subscribe":true}' "${ipkpath}")"
|
|
|
|
fifopath="${tempdir}/fifo"
|
|
|
|
mkfifo -- "${fifopath}"
|
|
|
|
log "Installing ${ipkpath}..."
|
|
toast 'Installing...'
|
|
|
|
luna-send -w 20000 -i 'luna://com.webos.appInstallService/dev/install' "${instpayload}" >"${fifopath}" &
|
|
luna_pid="${!}"
|
|
|
|
if ! result="$(fgrep -m 1 -e 'installed' -e 'failed' -e 'Unknown method' -- "${fifopath}")"; then
|
|
rm -f -- "${fifopath}"
|
|
error 'Install timed out'
|
|
exit 1
|
|
fi
|
|
|
|
kill -TERM "${luna_pid}" 2>/dev/null || true
|
|
rm -f -- "${fifopath}"
|
|
|
|
case "${result}" in
|
|
*installed*) ;;
|
|
*"Unknown method"*)
|
|
error 'Installation failed (devmode_enabled not recognized)'
|
|
exit 1
|
|
;;
|
|
*failed*)
|
|
error 'Installation failed'
|
|
exit 1
|
|
;;
|
|
*)
|
|
error 'Installation failed for unknown reason'
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
if ! /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service >"${tempdir}/elevate.log"; then
|
|
error 'Elevation failed'
|
|
exit 1
|
|
fi
|
|
|
|
log 'Rooting complete'
|
|
toast 'Rooting complete. <h4>Do not install the LG Dev Mode app while rooted!</h4>'
|